Change local Admin password on all domain PCs

[Ken]

Is there as group policy setting that will allow resetting all local
administrator passwords centrally?
If not does anyone know of a utility that would do this on 400 desktops?

-Ken

 

[Dmitry Korolyov [MVP]]

You can script it. Just add the script to the startup scripts. Here's a code
example:

Dim Container
Dim ContainerName
Dim User, UsrSID, b
Dim WshNetwork

Set WshNetwork = WScript.CreateObject("WScript.Network")
'--- Set objFSO=WScript.CreateObject("WScriopt.FileSystemObject")

ComputerName=WshNetwork.ComputerName

Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & ComputerName & "\root\cimv2")

strSelect="Select * from Win32_UserAccount"

Set colSystemUsers = objWMIService.ExecQuery (strSelect)

For Each objSystemUser in colSystemUsers
if Right(objSystemUser.SID,3)="500" Then
Set objUser = GetObject("WinNT://" & ComputerName & "/" &
objSystemUser.Name & ",user")
NewPassword="MySuperPassword"
Call objUser.SetPassword(NewPassword)
Exit For
End If
Next

The script doesn't care about built-in admin account's name, can be used
with any name.


--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Active Directory


Is there as group policy setting that will allow resetting all local
administrator passwords centrally?
If not does anyone know of a utility that would do this on 400 desktops?

-Ken

 

[Mike Herchel]

You can also use Sysinternal's pspwd.exe utility (I use it). www.sysinternals.com
You can script it. Just add the script to the startup scripts. Here's a code example:

Dim Container
Dim ContainerName
Dim User, UsrSID, b
Dim WshNetwork

Set WshNetwork = WScript.CreateObject("WScript.Network")
'--- Set objFSO=WScript.CreateObject("WScriopt.FileSystemObject")

ComputerName=WshNetwork.ComputerName

Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & ComputerName & "\root\cimv2")

strSelect="Select * from Win32_UserAccount"

Set colSystemUsers = objWMIService.ExecQuery (strSelect)

For Each objSystemUser in colSystemUsers
if Right(objSystemUser.SID,3)="500" Then
Set objUser = GetObject("WinNT://" & ComputerName & "/" & objSystemUser.Name & ",user")
NewPassword="MySuperPassword"
Call objUser.SetPassword(NewPassword)
Exit For
End If
Next

The script doesn't care about built-in admin account's name, can be used with any name.


--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Active Directory


Is there as group policy setting that will allow resetting all local
administrator passwords centrally?
If not does anyone know of a utility that would do this on 400 desktops?

-Ken

 

[Hank Arnold]

Could you provide a link? I did a search on their site and it wasn't
found....

--
Regards,
Hank Arnold

You can also use Sysinternal's pspwd.exe utility (I use it).
www.sysinternals.com

 

[Jerold Schulman]

Could you provide a link? I did a search on their site and it wasn't
found....

http://www.sysinternals.com/files/pspasswd.zip

After unzipping, copy to a folder in your path.

pspasswd /?

PsPasswd v1.21 - Local and remote password changer
Copyright (C) 2003-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

PsPasswd changes passwords on a local or remote system.

Usage: pspasswd [\\[computer[,computer,[,...]|Domain]|@file] [-u Username [-p
Password]]] Username [NewPassword]
computer Direct PsPasswd to perform the command on the remote
computer or computers specified. If you omit the computer
name PsPasswd runs the command on the local system,
and if you specify a wildcard (\\*), PsPasswd runs the
command on all computers in the current domain.
@file PsPasswd will change the password on the computers listed
in the file.
-u Specifies optional user name for login to remote
computer.
-p Specifies optional password for user name. If you omit this
you will be prompted to enter a hidden password.
Username Specifies name of account for password change.
NewPassword New password. If ommitted a NULL password is applied.



Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com

 

[j-AK]

I can't see any justification to use a GPO to run a script containing passwords. EVERYONE can read these!!!